Techdirt. Stories filed under "chat"Easily digestible tech news...https://www.techdirt.com/
en-usTechdirt. Stories filed under "chat"https://ii.techdirt.com/s/t/i/td-88x31.gifhttps://www.techdirt.com/Wed, 19 Jul 2017 03:20:35 PDTResearchers Say Chinese Government Now Censoring Images In One-To-One ChatTim Cushinghttps://www.techdirt.com/articles/20170718/09555737808/researchers-say-chinese-government-now-censoring-images-one-to-one-chat.shtml
https://www.techdirt.com/articles/20170718/09555737808/researchers-say-chinese-government-now-censoring-images-one-to-one-chat.shtml
It looks like China is continuing to set the gold standard for internet censorship. For a long time, the Great Firewall has been actively censoring content based on keywords. Activists and dissidents have worked around this filtering by placing text in images, but that doesn't appear to be working nearly as well as it used to.

On WeChat, we collected keywords that trigger message censorship related to Liu Xiaobo before and after his death. Before his death, messages were blocked that contained his name in combination with other words, for example those related to his medical treatment or requests to receive care abroad. However, after his death, we found that simply including his name was enough to trigger blocking of messages, in English and both simplified and traditional Chinese. In other words, WeChat issued a blanket ban on his name after his death, greatly expanding the scope of censorship.

We documented censorship of images related to Liu on WeChat after his death, and for the first time found images blocked in one-to-one chat. We also found images blocked in group chat and WeChat Moments (a feature that resembles Facebook’s Timeline where users can share updates, upload images, and short videos or articles with their friends), before and after his death.

China has tackled image censorship before, but it hasn't been able to achieve this in one-to-one chat until now. And it's being done stealthily to prevent senders or receivers from knowing their images have been blocked.

Similar to keyword-based filtering, censorship of images is only enabled for users with accounts registered to mainland China phone numbers. The filtering is also not transparent. No notice is given to a user if the picture they sent is blocked. Censorship of an image is concealed from the user who posted the censored image.

The censorship is only apparent to international users without registered Chinese phone numbers. And, like most blanket censorship efforts, it's far from perfect.

The exact mechanism that WeChat uses to determine which images to filter is unclear and in our testing sample we found unexpected results. Blocked images included screenshots of official government statements on Liu Xiaobo’s death, which we did not expect to be censored. We also found images that were not blocked that could be seen as sensitive, such as an image of book covers of “Charter 08” and a Biography of Liu Xiaobo, which are both banned in mainland China.

As Citizen Lab points out, this censorship effort is especially concerning, as it indicates the Chinese government is possibly in the business of internet-enabled retroactive amnesia. If it leaves the filtering in place long enough and censors enough websites and personal chats, the history of Liu Xiaobo will be slowly rewritten with narratives approved by the Chinese government.

Permalink | Comments | Email This Story
]]>shot-spottershttps://www.techdirt.com/comment_rss.php?sid=20170718/09555737808Wed, 2 Nov 2016 16:31:03 PDTThai Government Demands Popular Chat App Reveal Any Time Any User Insults The KingMike Masnickhttps://www.techdirt.com/articles/20161101/23484535940/thai-government-demands-popular-chat-app-reveal-any-time-any-user-insults-king.shtml
https://www.techdirt.com/articles/20161101/23484535940/thai-government-demands-popular-chat-app-reveal-any-time-any-user-insults-king.shtmltrue end-to-end encryption. Earlier this year, the company made end-to-end encrypted chats the default, rather than as a user option (Thank you Snowden!).

Good timing. The company has apparently now refused to obey a Thai government demand that it alert the government to anyone insulting the Thai royal family on the messaging app. For years, we've written about Thailand's ridiculous lese majeste laws, which make it a crime to insult the king. As we've noted, the law is used as a way to censor and crack down on political opponents. And, of course, with the death of the Thai king last month, there's been a sudden uptick in Thai officials going after people for supposed lese majeste violations.

But Line is telling the government that it just can't help out here.

"We do not monitor or block user content. User content is also encrypted, and cannot be viewed by LINE," the statement sent to DPA said.

Of course, there's been some controversy in the past over this. Back in 2014, Thailand announced that it was instituting a broad surveillance program to snoop on basically all internet communications for the sake of seeking out and punishing lese majeste violators. A few months later, Thai government officials flat out claimed that this included monitoring Line messages, something that the company flat out denied (though, that may have also inspired the move to encryption). While Thai officials have, at times, even claimed the ability to read encrypted messages, it seemed like that was just idle boasting, rather than a legitimate revelation of surveillance capabilities.

There is one oddity about Line's response to the Thai government, though:

"We ask the authorities seeking to obtain user data to make official requests through diplomatic channels and have so advised the Thai authorities," LINE added.

So, uh, if the messages are all end-to-end encrypted and there's no way for Line to access them to share with any government, why is it asking the Thai government to use diplomatic channels to make an official request?

Permalink | Comments | Email This Story
]]>encrypted-chats-are-importanthttps://www.techdirt.com/comment_rss.php?sid=20161101/23484535940Wed, 3 Aug 2016 16:07:31 PDTThe Rise Of More Secure Alternatives To Everyone's Favorite Chat App, SlackMike Masnickhttps://www.techdirt.com/articles/20160729/17552135109/rise-more-secure-alternatives-to-everyones-favorite-chat-app-slack.shtml
https://www.techdirt.com/articles/20160729/17552135109/rise-more-secure-alternatives-to-everyones-favorite-chat-app-slack.shtmlSlack here. While we saw some folks claim it was revolutionary, we found it to be a nice, but somewhat marginal, upgrade to our previous use of Skype chat rooms. But, over time, it has certainly gotten comfortable, and there have been some nice feature add-ons and integrations that have made it a pretty cool service overall -- though if you really want to use it to its fullest extent and switch to the paid version, it can get pretty pricey, pretty quickly. I also am in a bunch of other group Slack chats, as it's basically become the platform of choice for group discussions.

However, in these days where hacked emails are in the headlines, I can see why some might get nervous about using a tool like Slack. Not that there have been any known breaches of Slack that I'm aware of, and I'm sure that the company takes security very seriously (it would undermine its entire business if it failed on that front...), it's been interesting to see other options start to pop up, which might be more appetizing for those who are extra security conscious.

Just as we've been encouraged to see greater use of encryption on mobile phones, email and on websites, it's good to see new entrants trying to take on Slack with a focus on security and privacy. The most recent, and perhaps most interesting, player in the space is SpiderOak, which recently launched its Semaphor Slack competitor on the market. I've been playing around with it -- and while it's early on, it certainly has potential. SpiderOak is the company you should already know of that provides an encrypted "zero knowledge" cloud backup solution. Since you keep the keys, even though it's hosted in the cloud, SpiderOak has no way to decrypt your files should anyone hack in, or should the government come calling. It's now taken that approach to Semaphor, which obviously takes its inspiration from Slack (and feels quite similar), but with the same zero knowledge encrypted setup. You get a key and that encrypts all of the data in your group messaging.

There are some limitations there -- of course -- because any team member might leak their key (though whoever gets in would just have access to whatever that team member can see). And, because of this setup, it's not as easy to do "integrations" with third-party apps and services, which is a key selling point of Slack. Semaphor is apparently trying to work its way around this limitation by creating bots that act as their own users within Semaphor (something Slack has also), but where the bots themselves become the key to integrations. It's a bit more clumsy, but if it helps keep things secure, that seems promising.

SpiderOak also, kindly, makes the Semaphor client source code available for anyone to audit, which is necessary if anyone's going to take their encryption seriously. Of course, Semaphor is, like Slack, working off a Freemium model, where additional features require per user fees, which can add up. One nice feature of Semaphor that Slack doesn't have: the ability for individuals to pay their own way. That is, there are lots of Slack groups that are general interest groups around certain topics, and not a company's own internal group. Those groups are never going to use a paid option, because there's no "company" to pay for all users. Semaphor offers an alternative, where each user can just pay their own way -- which might be appealing to some user groups.

The other alternatives that have been getting some attention lately are a couple of attempts to basically create a truly open source Slack clone that can be self-hosted. The two big players here are Mattermost and RocketChat. Both have built open source, self-hosted Slack clones (and both try to make money by offering paid hosting for those who want it). Mattermost is quite upfront that it's building a Slack alternative -- it's all over its website -- though it also points out that it's tried to improve on some things in Slack. RocketChat doesn't seem to mention Slack, and, frankly, feels a bit behind Mattermost in development (though it also announced that it's about to run a Kickstarter campaign to jumpstart more development.

Now, whether or not a self-hosted open source alternative is more secure than Slack... may depend. If you're doing the self-hosted version then you're basically relying on your own ability to keep the implementation secure. That might work. Or, whoever you have securing your installation might not be as good or as responsive as, say, the security team at Slack. But, using an open source solution that you host obviously does provide you with a lot more control and the ability to make any changes you think are necessary.

As someone who talks quite frequently about how competition drives innovation, it's great to see all of this happening. I don't think any of them will harm Slack's place in the market, which has become pretty standard in a lot of companies, but as more and more companies are realizing that they need to really think through security of their communications tools, it's a very good thing to see competition popping up. Hopefully, these competitors get stronger as well, and help drive more overall innovation -- including the focus on security and encryption -- across the entire market.

Permalink | Comments | Email This Story
]]>well-this-could-get-interestinghttps://www.techdirt.com/comment_rss.php?sid=20160729/17552135109Mon, 17 Nov 2014 14:29:48 PSTTo Avoid Government Surveillance, South Koreans Abandon Local Software And Flock To German Chat AppGlyn Moodyhttps://www.techdirt.com/articles/20141112/13281229123/to-avoid-government-surveillance-south-koreans-abandon-local-software-flock-to-german-chat-app.shtml
https://www.techdirt.com/articles/20141112/13281229123/to-avoid-government-surveillance-south-koreans-abandon-local-software-flock-to-german-chat-app.shtmlonline users are subject to high levels of surveillance and control, as the site Bandwidth Place explains:

Under the watchful eye of the Korea Communications Standards Commission (KCSC), Internet use, web page creation, and even mapping data are all regulated. As noted recently by the Malaysian Digest, children under 16 are not permitted to participate in online gaming between midnight and 6 a.m. -- accessing the Internet requires users to enter their government-issued ID numbers. In addition, South Korean map data isn't allowed to leave the country, meaning Google Maps can't provide driving directions, and last year the KCSC blocked users from accessing 63,000 web pages. While it's possible to get around these restrictions using a virtual private network (VPN), those found violating the nation’s Internet rules are subject to large fines or even jail time.

Many users have switched [from the hugely-popular home-grown product KakaoTalk] to a German chat app called Telegram. It had 50,000 users in early September. Now 2 million people have signed up.

That's a useful reminder that fast Internet speeds on their own are not enough to keep people happy, and that even companies holding 90% of a market, as Kakao does in South Korea, can suffer badly once they lose the trust of their users by seeming too pliable to government demands for private information about their customers.

This seems like the type of lesson that the giant US internet companies and the NSA (along with its defenders) should be learning.

Permalink | Comments | Email This Story
]]>loss-of-trusthttps://www.techdirt.com/comment_rss.php?sid=20141112/13281229123Mon, 14 Oct 2013 17:25:29 PDTNSA Collects Email Contact Lists, Instant Messaging Chat Buddy Lists From Overseas With No Oversight At AllMike Masnickhttps://www.techdirt.com/articles/20131014/16562224878/nsa-collects-email-contact-lists-instant-messaging-chat-buddy-lists-overseas-with-no-oversight-all.shtml
https://www.techdirt.com/articles/20131014/16562224878/nsa-collects-email-contact-lists-instant-messaging-chat-buddy-lists-overseas-with-no-oversight-all.shtmlemail contact lists and instant messaging buddy lists to help build its giant database of connections. Remember a few weeks ago how it was reported that the NSA was basically building a secret shadow social network? It seems like this might be one of the ways it's able to tell who your friends are.

There are a variety of important points here. First off, this information is not coming directly from the tech companies (which, again, suggests that earlier claims that the NSA had direct access to all their servers was mistaken). Rather they're picking this information up off the backbone connections in foreign countries. It also explains why they get so much data from Yahoo -- because, for no good reason at all, Yahoo hasn't forced encryption on its webmail users until... the news of this started to come out.

And here's the big problem: because all of this information is collected overseas, rather than at home, it's not subject to "oversight" (and I use that term loosely) by the FISA court or Congress. Those two only cover oversight for domestic intelligence. The fact that the NSA can scoop up all this data overseas is just a bonus.

Also, while the program is ostensibly targeted at "metadata" concerning connections between individuals, the fact that it collects "inboxes" and "buddy lists" appears to reveal content at times. With buddy lists, it can often collect content that was sent while one participant was offline (where a server holds the message until the recipient is back online), and with inboxes, they often display the beginning of messages, which the NSA collects.

Separately, because this is allowing them to gather so much data, it apparently overwhelmed the NSA's datacenters. At times, this is because they get inundated with... spam. For example, one of the documents revealed show that a target they had been following in Iran had his Yahoo email address hacked for spamming, and that presented a problem:

In fall 2011, according to an NSA presentation, the Yahoo account of an Iranian target was “hacked by an unknown actor,” who used it to send spam. The Iranian had “a number of Yahoo groups in his/her contact list, some with many hundreds or thousands of members.”

The cascading effects of repeated spam messages, compounded by the automatic addition of the Iranian’s contacts to other people’s address books, led to a massive spike in the volume of traffic collected by the Australian intelligence service on the NSA’s behalf.

After nine days of data-bombing, the Iranian’s contact book and contact books for several people within it were “emergency detasked.”

Because of this mess, the NSA has tried to stop collecting certain types of information, doing "emergency detasks" of certain collections. This, yet again, shows how ridiculous Keith Alexander's "collect it all" mantra is. When you collect it all, you get inundated with a ton of bogus data, and the information presented here seems to support that.